Skip to main content

Restoring onboard key management encryption keys

Occasionally, you may need to restore an onboard key management encryption key. Once you have verified that a key needs to be restored, you can run the Onboard Key Manager setup wizard to restore the key.

Before you begin

In ONTAP 9.6 and later, you can use the security key-manager key query -nodenode command to verify if your key needs to be restored.

In ONTAP 9.5 and earlier, you can use the security key-manager key show command to verify if your key needs to be restored.

  1. If you are running ONTAP 9.8 and later, and your root volume is encrypted, do the following:
    If you are running ONTAP 9.7 or earlier, or if you are running ONTAP 9.8 or later and your root volume is not encrypted, skip this step.
    1. Boot the node to the boot menu and select option (10) Set onboard key management recovery secrets.
    2. Enter y to use this option.
    3. At the prompt, enter the onboard key management passphrase for the cluster.
    4. At the prompt, enter the backup key data.
      The node returns to the boot menu..
    5. From the boot menu, select option (1) Normal Boot.
  2. Restore the key:
    For this ONTAP version...Use this command...
    ONTAP 9.6 and latersecurity key-manager key query -node node
    ONTAP 9.5 and earliersecurity key-manager key show

    For complete command syntax, see the man pages.

    Example

    The following ONTAP 9.6 command lets you verify that an onboard key management encryption key needs to be restored in cluster1 :

    cluster1::> security key-manager key query
    Vserver: cluster_1
    Key Manager: onboard
    Node: node1
    Key Server: ""

    Key Tag Key Type Restored
    ------- -------- --------
    node1 NSE-AK false
    Key ID: 0000000000000000020000000000010003c6139e9a2beaf817ff69d72f33663c0000000000000000
    node1 NSE-AK true
    Key ID: 00000000000000000200000000000100fb5fdc42e0043632b2f7f7f439fe77c50000000000000000

    Vserver: cluster_1
    Key Manager: onboard
    Node: node2
    Key Server: ""

    Key Tag Key Type Restored
    ------- -------- --------
    node2 NSE-AK true
    Key ID: 0000000000000000020000000000010003c6139e9a2beaf817ff69d72f33663c0000000000000000
    node2 NSE-AK true
    Key ID: 00000000000000000200000000000100fb5fdc42e0043632b2f7f7f439fe77c50000000000000000
    4 entries were displayed.

  3. If the Restored column shows false for a key, restore the key:
    For this ONTAP version...Use this command...
    ONTAP 9.6 and latersecurity key-manager onboard sync
    ONTAP 9.5 and earliersecurity key-manager setup -node node

    For complete command syntax, see the man pages.

    Example

    The following ONTAP 9.6 command synchronize the keys in the onboard key hierarchy:

    cluster1::> security key-manager onboard sync
     
    Enter the cluster-wide passphrase for onboard key management in Vserver "cluster1"::    <32..256 ASCII characters long text>

  4. At the passphrase prompt, enter the onboard key management passphrase for the cluster.